Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 Win mobile client - no traffic after re-key

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 559 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bradsm87
      last edited by bradsm87

      Windows 10/11 client behind NAT
      AES128 SHA1 G2 on P1
      AES128 SHA1 on P2 with no PFS
      (This is just an example of my most recent test. I use another config on new setups)

      VPN client and IPSec status on the pfsense show everything is still connected but no traffic can pass after the first re-key after around an hour.

      I've specifically set all the encryption etc with Powershell so that there is no mis-match in the proposals.

      P1 and P2 lifetimes are well above the default Windows lifetimes so that Windows presumably always does the re-keys.

      Here is what I think is a log of the re-key:

      Dec 7 14:45:54 charon 47973 15[NET] <con-mobile|8086> received packet: from ClientPublicIP[4500] to ServerPublicIP[4500] (300 bytes)
      Dec 7 14:45:54 charon 47973 15[ENC] <con-mobile|8086> parsed CREATE_CHILD_SA request 6 [ N(REKEY_SA) SA No TSi TSr ]
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> selecting proposal:
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> proposal matches
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> selecting traffic selectors for us:
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> config: 10.2.1.0/24|/0, received: 0.0.0.0/0|/0 => match: 10.2.1.0/24|/0
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> config: 10.2.1.0/24|/0, received: ::/0|/0 => no match
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> config: 10.1.1.0/24|/0, received: 0.0.0.0/0|/0 => match: 10.1.1.0/24|/0
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> config: 10.1.1.0/24|/0, received: ::/0|/0 => no match
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> selecting traffic selectors for other:
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> config: 10.4.2.16/32|/0, received: 0.0.0.0/0|/0 => match: 10.4.2.16/32|/0
      Dec 7 14:45:54 charon 47973 15[CFG] <con-mobile|8086> config: 10.4.2.16/32|/0, received: ::/0|/0 => no match
      Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> CHILD_SA con-mobile{4269} state change: CREATED => INSTALLING
      Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> using AES_CBC for encryption
      Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> using HMAC_SHA1_96 for integrity
      Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> adding inbound ESP SA
      Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> SPI 0xc21d9b52, src ClientPublicIP dst ServerPublicIP
      Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> registering outbound ESP SA
      Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> SPI 0x83893db2, src ServerPublicIP dst ClientPublicIP
      Dec 7 14:45:54 charon 47973 15[IKE] <con-mobile|8086> inbound CHILD_SA con-mobile{4269} established with SPIs c21d9b52_i 83893db2_o and TS 10.1.1.0/24|/0 10.2.1.0/24|/0 === 10.4.2.16/32|/0
      Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> CHILD_SA con-mobile{4269} state change: INSTALLING => INSTALLED
      Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> CHILD_SA con-mobile{4265} state change: INSTALLED => REKEYING
      Dec 7 14:45:54 charon 47973 15[CHD] <con-mobile|8086> CHILD_SA con-mobile{4265} state change: REKEYING => REKEYED
      Dec 7 14:45:54 charon 47973 15[ENC] <con-mobile|8086> generating CREATE_CHILD_SA response 6 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
      Dec 7 14:45:54 charon 47973 15[NET] <con-mobile|8086> sending packet: from ServerPublicIP[4500] to ClientPublicIP[4500] (220 bytes)
      Dec 7 14:45:54 charon 47973 05[NET] <con-mobile|8086> received packet: from ClientPublicIP[4500] to ServerPublicIP[4500] (76 bytes)
      Dec 7 14:45:54 charon 47973 05[ENC] <con-mobile|8086> parsed INFORMATIONAL request 7 [ D ]
      Dec 7 14:45:54 charon 47973 05[IKE] <con-mobile|8086> received DELETE for ESP CHILD_SA with SPI 976a3f4e
      Dec 7 14:45:54 charon 47973 05[IKE] <con-mobile|8086> closing CHILD_SA con-mobile{4265} with SPIs c898f5e4_i (187547 bytes) 976a3f4e_o (318632 bytes) and TS 10.1.1.0/24|/0 10.2.1.0/24|/0 === 10.4.2.16/32|/0
      Dec 7 14:45:54 charon 47973 05[IKE] <con-mobile|8086> sending DELETE for ESP CHILD_SA with SPI c898f5e4
      Dec 7 14:45:54 charon 47973 05[CHD] <con-mobile|8086> CHILD_SA con-mobile{4265} state change: REKEYED => DELETING
      Dec 7 14:45:54 charon 47973 05[IKE] <con-mobile|8086> CHILD_SA closed
      Dec 7 14:45:54 charon 47973 05[CHD] <con-mobile|8086> CHILD_SA con-mobile{4265} state change: DELETING => DELETED
      Dec 7 14:45:54 charon 47973 05[CHD] <con-mobile|8086> adding outbound ESP SA
      Dec 7 14:45:54 charon 47973 05[CHD] <con-mobile|8086> SPI 0x83893db2, src ServerPublicIP dst ClientPublicIP
      Dec 7 14:45:54 charon 47973 05[IKE] <con-mobile|8086> outbound CHILD_SA con-mobile{4269} established with SPIs c21d9b52_i 83893db2_o and TS 10.1.1.0/24|/0 10.2.1.0/24|/0 === 10.4.2.16/32|/0
      Dec 7 14:45:54 charon 47973 05[ENC] <con-mobile|8086> generating INFORMATIONAL response 7 [ D ]
      Dec 7 14:45:54 charon 47973 05[NET] <con-mobile|8086> sending packet: from ServerPublicIP[4500] to ClientPublicIP[4500] (76 bytes)
      Dec 7 14:45:56 charon 47973 09[IKE] <con1|8079> queueing CHILD_DELETE task
      Dec 7 14:45:56 charon 47973 09[IKE] <con1|8079> activating new tasks
      Dec 7 14:45:56 charon 47973 09[IKE] <con1|8079> activating CHILD_DELETE task
      Dec 7 14:45:56 charon 47973 09[CHD] <con1|8079> CHILD_SA con1{4266} state change: DELETED => DESTROYING
      Dec 7 14:45:56 charon 47973 09[IKE] <con1|8079> activating new tasks
      Dec 7 14:45:56 charon 47973 09[IKE] <con1|8079> nothing to initiate
      Dec 7 14:45:59 charon 47973 09[IKE] <con-mobile|8086> queueing CHILD_DELETE task
      Dec 7 14:45:59 charon 47973 09[IKE] <con-mobile|8086> activating new tasks
      Dec 7 14:45:59 charon 47973 09[IKE] <con-mobile|8086> activating CHILD_DELETE task
      Dec 7 14:45:59 charon 47973 09[CHD] <con-mobile|8086> CHILD_SA con-mobile{4265} state change: DELETED => DESTROYING

      1 Reply Last reply Reply Quote 0
      • B
        bradsm87
        last edited by

        I just tried with PFS and still same issue. Any ideas anyone?

        1 Reply Last reply Reply Quote 0
        • B
          bradsm87
          last edited by

          I finally got a working test without the issue. Issue only occurs with RADIUS authentication and EAP-RADIUS. EAP-MSCHAPv2 with local user/PSK list does not have the issue.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.